Bug 11765

Summary: REGRESSION: Clicking on a select with size other than 1 and no children results in a crash
Product: WebKit Reporter: Jacob Lukas <jlukas>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: mitz
Priority: P1 Keywords: Regression
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
Reduced test case
none
First attempt adele: review+

Description Jacob Lukas 2006-12-05 17:15:58 PST 
Clicking on a select with size other than 1 and no children results in a crash. This is reproducible every time.
Comment 1 Jacob Lukas 2006-12-05 17:16:33 PST 
Created attachment 11747 [details]
Reduced test case
Comment 2 Matt Lilek 2006-12-05 17:44:34 PST 
Confirming - I also get the following assertion failure

ASSERTION FAILED: i < size()
(/Users/matt/Code/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/Vector.h:387 const T& WTF::Vector<T, inlineCapacity>::at(size_t) const [with T = WebCore::HTMLElement*, long unsigned int inlineCapacity = 0ul])
Comment 3 Rob Buis 2006-12-08 05:17:38 PST 
Created attachment 11771 [details]
First attempt

This patch should fix it. The testcase is a bit tricky but I think it does the job, with ToT it shows the crash, with my patch it will say Passed.
Cheers,

Rob.
Comment 4 Rob Buis 2006-12-08 15:07:42 PST 
Landed in r18089.